A group of security researchers have discovered a critical flaw within automatic carwash systems that are connected to the Internet. The vulnerability could potentially be exploited by remotely hijacking the carwash and directly pose a risk to the health and well-being of the vehicle’s occupants through various means of entrapment, vehicle damage or even physically attack individuals.
In an ever-evolving technological world, modern carwashes have become what we are accustomed to think of as “smart” – fully automated and remotely controlled. As much as the Internet-of-Things and interconnectivity may be a wondrous thing, smart control systems connected to the Internet are nonetheless still susceptible to a remote intrusion and consequently be exploited.
Vulnerabilities in Drive-Through Carwashes Connected to the Internet
The CEO of Whitescope Security, Billy Rios and QED Secure Solutions founder Jonathan Butts were able to find vulnerabilities in drive-through carwashes connected to the Internet. The PDQ LaserWash carwashes are widely popular and accessible around the US mainly because they do not require staff to operate. The carwash itself is fully-automated and unlike most conventional carwashes, it does not require brushes nor any physical contact with the vehicle. A mechanical arm effortlessly operates around the vehicle spraying water and wax. The built-in touchscreen interface of the carwash allows for the customer to interact with it and choose their preferred cleaning option without any interactions with staff. On the other hand, the bay doors at the entrance and the exit can be programmed to open and close at the start and end of each day.
Authentication Bypass Within Built-In Web Server
What might come as a surprise is that the operating system of the PDQ LaserWash – on which the tests were initially performed, uses an embedded WindowsCE operating system which is no longer supported by Microsoft. Outdated and unsupported operating system are often favored by hackers dealing with the issue of hijacking and exploitation. The main flaw that researchers have discovered is an authentication bypass within the built-in web server. This in turn allows access to control panel. PDQ systems require a username and password to access them online however, the researchers claim the default password can be easily guessed (1234 as it is in many cases). By far, not all carwashes operate on fully-automatic basis, using the Shodan search engine the researchers were able to find over 150 carwashes online, vulnerably exposed to hijacks.
The security issue resides in the very core of the problem, that of the carwash being directly connected to the Internet. The web-based interface guarantees little security regardless of the ability for the business owner to remotely operate the carwash. If the hijack is successful, a hacker could exploit the above mentioned vulnerability in various ways including:
- The ability to send an instantaneous command by writing a fully automated attack script that bypasses authentication to close either one or both bays of the carwash, thus trap the vehicle inside.
- Repeatedly open and close one of the bays as the driver attempts to leave, inflicting multiple strikes upon the vehicle and causing damage in the process.
- Possibility of injuring or harming the respective occupants of the vehicle both inside or outside the vehicle.
- Easily manipulate the mechanical arm to continuously spew water or to hit the vehicle, hence making it increasingly difficult for occupants to exit the vehicle.
In the meantime, ICS-CERT has issued an advisory warning regarding automated car wash systems such as LaserWash, LaserJet and ProTouch – all manufactured by PDQ, stating that all three systems are susceptible to remote intrusions, requiring a “low skill level to exploit”. Further affected systems, both within and out with the US include:
- All versions of ProTouch Icon, ProTouch AutoGlass and ProTouch Tandem.
- All versions of LaserWash AutoXpress and AutoXpress Plus.
- All versions of LaserWash 360 and LaserWash 360 Plus.
- All versions of LaserWash M5.
- All versions of LaserWash G5 and LaserWash G5 S Series.
- All versions of LaserJet.
It is unclear as to what the timeframe for the anticipated fix will be nor the period of length it will be in development. Until then, carwash owners would have to remain patient, with ICS-CERT having compiled a list of PDQ’s recommendations for carwash owners devised to help them mitigate and limit the chances of already affected carwash systems being hijacked and exploited.